CN110224876B - A method for measuring the effectiveness of DDoS attack and defense at the application layer - Google Patents

A method for measuring the effectiveness of DDoS attack and defense at the application layer Download PDF

Info

Publication number
CN110224876B
CN110224876B CN201910571268.3A CN201910571268A CN110224876B CN 110224876 B CN110224876 B CN 110224876B CN 201910571268 A CN201910571268 A CN 201910571268A CN 110224876 B CN110224876 B CN 110224876B
Authority
CN
China
Prior art keywords
attack
defense
server
value
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910571268.3A
Other languages
Chinese (zh)
Other versions
CN110224876A (en
Inventor
赵小林
薛静锋
李跃
曾冲寒
吴美静
侯新宇
陈全保
张漪墁
徐浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201910571268.3A priority Critical patent/CN110224876B/en
Publication of CN110224876A publication Critical patent/CN110224876A/en
Application granted granted Critical
Publication of CN110224876B publication Critical patent/CN110224876B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种应用层DDoS攻防效用度量方法。使用本发明能够科学有效地计算应用层DDoS攻防效用值,且充分考虑了应用、物理及网络等层面,更为全面和客观。本发明基于传统社会学、工程学对行为以及效用的定义,对网络中攻防行为及效用进行了分析与定义;将网络系统的逻辑拓扑结构映射到多维仿射空间,且网络节点的性能指标个数即为多维仿射空间的维度,并对多维欧氏空间中多维超平行体与网络节点状态之间的映射关系进行了证明;基于此提出了网络节点的状态值即为对应的多维超平行体的体积,从而能够科学有效地量化网络节点状态;同时,在指标的选取上,考虑了应用、物理、网络等层面,更加客观全面地对应用层DDoS攻防作用进行考量。

Figure 201910571268

The invention discloses an application layer DDoS attack and defense utility measurement method. By using the invention, the DDoS attack and defense utility value of the application layer can be calculated scientifically and effectively, and the application, physical and network aspects are fully considered, and the utility value is more comprehensive and objective. Based on the definition of behavior and utility in traditional sociology and engineering, the invention analyzes and defines the attack and defense behavior and utility in the network; maps the logical topology structure of the network system to a multi-dimensional affine space, and the performance indicators of the network nodes are The number is the dimension of the multi-dimensional affine space, and the mapping relationship between the multi-dimensional hyperparallel and the state of the network node in the multi-dimensional Euclidean space is proved. Based on this, it is proposed that the state value of the network node is the corresponding multi-dimensional hyperparallel At the same time, in the selection of indicators, the application, physics, network and other aspects are considered, and the DDoS attack and defense role of the application layer is more objectively and comprehensively considered.

Figure 201910571268

Description

一种应用层DDoS攻防效用度量方法A method for measuring the effectiveness of DDoS attack and defense at the application layer

技术领域technical field

本发明涉及网络空间安全技术领域,具体涉及一种应用层DDoS攻防效用度量方法。The invention relates to the technical field of cyberspace security, in particular to an application layer DDoS attack and defense utility measurement method.

背景技术Background technique

分布式拒绝服务攻击(DDoS)是一种不可根治和避免的攻击手段。其中分布式拒绝服务攻击中最复杂的形式是应用层DDoS攻击,应用层DDoS攻击通常通过大量占用Web服务器的请求队列来阻碍其对合法用户提供正常的Web服务。如何从网络本身及用户的角度全面分析出攻击影响值,且在攻击发生时如何提供恰到好处的防御避免资源浪费,这是一个目前难以解决的问题。为了解决这一问题,必须在充分考虑网络系统设计阶段安全性的同时还要对其安全性进行度量和评估。但是在传统网络安全评估技术手段中,主观人为因素往往是不可避免的。当前应用层DDoS攻击影响评估技术中,主要评估计算方法是通过各类观测指标的分析,来对方法中所提出的可以代表攻击影响的某个定义进行计算。当前方法中,一是定义的提出缺少与已有成熟的理论相结合的依据;二是很少得出直观结果来定量计算出攻击影响值;三是几乎没有研究对防御影响值进行分析,缺乏一定的参考价值。Distributed Denial of Service (DDoS) attack is an irreversible and avoidable attack method. Among them, the most complex form of distributed denial of service attack is application layer DDoS attack. Application layer DDoS attack usually prevents it from providing normal web services to legitimate users by occupying a large number of request queues of web servers. How to comprehensively analyze the impact value of an attack from the perspective of the network itself and users, and how to provide just-right defenses to avoid wasting resources when an attack occurs is a difficult problem to solve at present. In order to solve this problem, it is necessary to measure and evaluate the security of the network system while fully considering the security of the network system design stage. However, in traditional network security assessment techniques, subjective human factors are often unavoidable. In the current application layer DDoS attack impact assessment technology, the main evaluation calculation method is to calculate a certain definition proposed in the method that can represent the attack impact through the analysis of various observation indicators. In the current methods, one is that the definition is lack of a basis for combining with existing mature theories; the other is that few intuitive results are obtained to quantitatively calculate the attack impact value; the third is that there is almost no research on the defense impact value analysis, lack of certain reference value.

例如,专利申请“一种网络安全风险评估方法”(公开号:CN107204876A,发明人:高强,黄元飞,林星辰等)采用结合入侵检测系统、漏洞检测以及第三方获取到的实时攻击事件,在静态风险评估基础上进行动态评估目标网络的安全性。这种方法建立在对目标网络进行静态风险评估,给出的静态评估结果之上。进而通过借助相应工具来分析威胁与脆弱性的信息动态变化,利用入侵检测系统和防火墙生成的告警信息作为评价系统风险状况的重要依据。该方案的评估需要静态风险评估结果的支撑,而对静态风险进行评估则会不可避免地受到主观因素影响,从而使评估结果不够完全客观。For example, the patent application "A method of network security risk assessment" (publication number: CN107204876A, inventors: Gao Qiang, Huang Yuanfei, Lin Xingchen, etc.) adopts a combination of intrusion detection system, vulnerability detection and real-time attack events obtained by a third party. The security of the target network is dynamically assessed on the basis of risk assessment. This method is based on the static risk assessment of the target network, and the static assessment results are given. Furthermore, the dynamic changes of threat and vulnerability information are analyzed with the help of corresponding tools, and the alarm information generated by the intrusion detection system and the firewall is used as an important basis for evaluating the risk status of the system. The evaluation of this scheme needs the support of static risk evaluation results, and the evaluation of static risks will inevitably be affected by subjective factors, so that the evaluation results are not completely objective.

专利申请“一种定量化的网络安全保护强度评估方法”(公开号:CN108566307A;发明人:李晓勇,郭煜)通过采集网络节点中的软件行为特征,从软件行为中随机选取部分节点的软件行为特征作为软件行为分析训练数据进行训练,从而生成网络安全分析模型。使用机器学习算法对软件行为特征库中所有节点的软件行为特征进行分析和评估,最终计算得出定量化的网络安全保护强度评估结果。但该方案在软件行为特征选取过程中,软件行为分析训练数据的选取是在软件行为数据库中随机选取的部分节点数据,因此在一定程度上软件行为特征选取不够全面,导致评估结果全面性、整体性不够严谨。Patent application "A Quantitative Network Security Protection Strength Evaluation Method" (Publication No.: CN108566307A; Inventors: Li Xiaoyong, Guo Yu) By collecting software behavior characteristics in network nodes, the software behaviors of some nodes are randomly selected from the software behaviors The features are trained as software behavior analysis training data to generate a network security analysis model. The machine learning algorithm is used to analyze and evaluate the software behavior characteristics of all nodes in the software behavior characteristic database, and finally calculate the quantitative network security protection strength evaluation result. However, in the process of software behavior feature selection in this scheme, the selection of software behavior analysis training data is part of the node data randomly selected in the software behavior database. Therefore, to a certain extent, the selection of software behavior features is not comprehensive enough, resulting in comprehensive and overall evaluation results. Sex is not rigorous enough.

专利申请“一种基于描述逻辑的计算机网络安全评估”(公开号:CN105812381A;发明人:王涛,徐超,刘潇等)通过逻辑关系中的“概念”、“个体”和“关系”及描述逻辑推导规则来描述局域网或者其他安全系统的结构关系,以此为基础推导并量化分析目标系统的安全水平。在此基础之上,形成了安全评估公式,通过计算得出网络安全评估值。该专利申请中没有对具体量化公式给出说明,仅提出使用安全评估公式生成器生成相应公式,没有具体的数学模型支撑。Patent application "A Computer Network Security Assessment Based on Description Logic" (Publication No.: CN105812381A; Inventors: Wang Tao, Xu Chao, Liu Xiao, etc.) The logical derivation rules are used to describe the structural relationship of the local area network or other security systems, and based on this, the security level of the target system is deduced and quantitatively analyzed. On this basis, a security assessment formula is formed, and the network security assessment value is obtained through calculation. The patent application does not give a description of the specific quantification formula, but only proposes to use the safety assessment formula generator to generate the corresponding formula, without specific mathematical model support.

因此,目前难以评估应用层DDoS攻击的影响、防御措施作用的大小。Therefore, it is currently difficult to assess the impact of application-layer DDoS attacks and the role of defensive measures.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明提供了一种应用层DDoS攻防效用度量方法,能够科学有效地计算应用层DDoS攻防效用值,且充分考虑了应用、物理及网络等层面,更为全面和客观。In view of this, the present invention provides an application layer DDoS attack and defense utility measurement method, which can scientifically and effectively calculate the application layer DDoS attack and defense utility value, and fully considers the application, physical and network levels, and is more comprehensive and objective.

本发明的应用层DDoS攻防效用度量方法,包括如下步骤:The application layer DDoS attack and defense utility measurement method of the present invention includes the following steps:

步骤1,构建指标矩阵,所述指标矩阵为对角矩阵,对角线上的项分别为服务器的各指标;其中,所述指标包括应用层指标、网络流量指标以及硬件性能指标;Step 1, constructing an index matrix, the index matrix is a diagonal matrix, and the items on the diagonal are respective indexes of the server; wherein, the indexes include application layer indexes, network traffic indexes and hardware performance indexes;

步骤2,采集服务器在不同攻击、防御作用下的指标值,并基于步骤1构建的指标矩阵获得服务器的状态值;其中,服务器的状态值为所述指标矩阵的行列式;Step 2, collect the index values of the server under different attack and defense effects, and obtain the state value of the server based on the index matrix constructed in step 1; wherein, the state value of the server is the determinant of the index matrix;

步骤3,服务器在攻击、防御作用下的状态值相比于服务器在0攻击、0防御下的状态值的变化量,即为该服务器的攻击防御作用值;攻击防御作用值沿时间的累积,即为该服务器的攻击防御效用值。Step 3, the change of the state value of the server under attack and defense compared to the state value of the server under 0 attack and 0 defense is the attack and defense value of the server; the accumulation of the attack and defense value along time, It is the attack defense utility value of the server.

较佳的,所述步骤1中,选取如下6个指标:网络每秒吞吐量大小、TCP段个数、IP数据报个数、访问失败率、平均响应时间以及CPU占用率。Preferably, in the step 1, the following 6 indicators are selected: network throughput per second, the number of TCP segments, the number of IP datagrams, the access failure rate, the average response time and the CPU occupancy rate.

较佳的,所述步骤3中,服务器的攻击防御作用值选取攻击防御作用时间段内服务器的攻击防御作用值的平均值。Preferably, in the step 3, the attack defense function value of the server is selected from the average value of the attack defense function value of the server within the attack defense function time period.

较佳的,应用层DDoS的攻击作用值为服务器在受攻击时的状态值与正常运行时的状态值的比值;服务器对应用层DDoS的防御作用值为相同攻击状态下服务器的添加防御措施前后的状态值之差与服务器正常运行时的状态值的比值。Preferably, the attack effect value of the application layer DDoS is the ratio of the state value of the server when it is attacked to the state value during normal operation; the defense effect value of the server on the application layer DDoS value is before and after adding the defense measures to the server under the same attack state. The ratio of the difference between the status values of , to the status value when the server is running normally.

有益效果:Beneficial effects:

(1)本发明基于传统社会学、工程学对行为以及效用的定义,对网络中攻防行为及效用进行了分析与定义,然后将网络系统的逻辑拓扑结构映射到多维仿射空间,且网络节点的性能指标即对应着多维仿射空间的维度,并对多维欧氏空间中多维超平行体与网络节点状态之间的映射关系进行了证明;由此提出了新的网络节点的状态值的计算方式,即网络节点状态值为对应的多维超平行体体积,从而能够科学有效地量化网络节点状态;同时,在指标的选取上,全面整体的考虑应用层DDoS攻防作用对服务器安全的影响,包括应用、物理、网络等层面,能够更加客观全面的对应用层DDoS攻防作用进行考量。(1) Based on the definition of behavior and utility in traditional sociology and engineering, the present invention analyzes and defines the offensive and defensive behavior and utility in the network, and then maps the logical topology of the network system to a multi-dimensional affine space, and the network nodes The performance index corresponds to the dimension of the multi-dimensional affine space, and the mapping relationship between the multi-dimensional hyperparallel and the state of the network node in the multi-dimensional Euclidean space is proved. Therefore, a new calculation of the state value of the network node is proposed. method, that is, the network node state value is the corresponding multi-dimensional hyperparallel volume, so that the network node state can be scientifically and effectively quantified; at the same time, in the selection of indicators, the impact of the application layer DDoS attack and defense on server security is comprehensively considered, including At the application, physical, network and other levels, it can more objectively and comprehensively consider the DDoS attack and defense role of the application layer.

(2)提出了从攻击作用的角度来分析每一种攻击类型、攻击规模、攻击强度的组合会对目标系统造成多大的影响,可以定量分析出各类攻击的优势及缺陷,如攻击所需资源、随着攻击规模的累加,攻击作用会提高多少等因素。相对于现有应用层DDoS攻防影响计算方法,攻击作用可以更为具体且实用地为攻击的威胁性提供客观参考依据。从某些角度来说,攻击作用的计算具有一定的实际意义。(2) It is proposed to analyze how much each combination of attack type, attack scale, and attack intensity will affect the target system from the perspective of attack function. Resource, with the accumulation of the scale of the attack, how much the attack effect will increase and other factors. Compared with the existing application layer DDoS attack and defense impact calculation methods, the attack effect can provide an objective reference for the threat of the attack in a more specific and practical way. From some perspectives, the calculation of the attack effect has certain practical significance.

(3)从网络底层的角度来分析防御作用的大小,当前研究领域很少从防御作用的角度来对网络系统安全进行评估。本计算方法可以通过攻击作用计算结果与阈值的对比,定量计算出防御作用的大小,提供了一个更为直观的防御功能参考值。也从防御功能的质量角度分析了防御功能的抗毁性,通过本计算方法可以计算出每一类防御功能可以抵御多大规模的攻击强度,为防御建设提供重要依据。(3) From the perspective of the bottom layer of the network to analyze the size of the defense role, the current research field rarely evaluates the security of the network system from the perspective of the defense role. This calculation method can quantitatively calculate the size of the defense effect by comparing the calculation result of the attack effect with the threshold value, and provide a more intuitive reference value of the defense function. The invulnerability of defense functions is also analyzed from the perspective of the quality of defense functions. Through this calculation method, the strength of each type of defense function can be calculated to resist large-scale attacks, which provides an important basis for defense construction.

(4)从效用层面解释了应用层DDoS攻防影响值,提出了以时间为上下限,使用平均攻击作用以及与防御的对比结果来分别得出攻防效用。此方法较传统方法更强调数学模型的重要性,选取了攻击持续时间为攻击的起点与终点。计算得各个时刻的攻击作用之后求出平均攻击作用,通过平均攻击作用的提出,在其合理性的基础上,不光可以直观地表示出本次攻击作用的大小,而且大大简化了效用的计算过程。通过效用的计算,可以更为合理且准确直观地描述一次应用层DDoS攻击发生之后,攻击作用和防御措施分别对网络系统所造成的影响值。(4) The impact value of DDoS attack and defense at the application layer is explained from the utility level, and it is proposed to use the time as the upper and lower limits, and use the average attack effect and the comparison result with the defense to obtain the attack and defense utility respectively. Compared with the traditional method, this method emphasizes the importance of the mathematical model, and selects the attack duration as the starting point and the end point of the attack. After calculating the attack effect at each moment, the average attack effect can be obtained. Through the proposal of the average attack effect, on the basis of its rationality, not only the size of the attack effect can be visually expressed, but also the calculation process of the effect can be greatly simplified. . Through the calculation of utility, the impact value of the attack function and defense measures on the network system can be described more reasonably and accurately and intuitively after an application layer DDoS attack occurs.

附图说明Description of drawings

图1为网络状态值示意图。Figure 1 is a schematic diagram of network status values.

图2为攻防作用计算示意图。Figure 2 is a schematic diagram of the calculation of offensive and defensive effects.

图3为本发明攻防效用度量流程图。FIG. 3 is a flow chart of the measure of attack and defense utility of the present invention.

具体实施方式Detailed ways

下面结合附图并举实施例,对本发明进行详细描述。The present invention will be described in detail below with reference to the accompanying drawings and embodiments.

本发明提供了一种应用层DDoS攻防效用度量方法,以传统社会学、工程学对行为以及效用的定义为基础,通过分析网络中攻防行为的特点,提出应用层DDoS攻防效用等相关定义并分析其性质;然后通过证明欧氏空间与网络逻辑拓扑之间的映射关系,利用n维欧氏空间中n维超平行体来描述网络节点状态,计算n维超平行体体积大小用于估算网络节点的状态值,并提出度量指标选取方法、提出应用层DDoS攻防效用相关计算方法,得出应用层DDoS攻防作用以及攻防效用;最后利用模拟实验验证了本发明方法的可行性及准确性。The invention provides an application layer DDoS attack and defense utility measurement method. Based on the definition of behavior and utility in traditional sociology and engineering, by analyzing the characteristics of the attack and defense behavior in the network, relevant definitions such as application layer DDoS attack and defense utility are proposed and analyzed. Its properties; then by proving the mapping relationship between the Euclidean space and the network logic topology, the n-dimensional hyperparallel in the n-dimensional Euclidean space is used to describe the network node state, and the size of the n-dimensional hyperparallel is calculated to estimate the network node. The state value of DDoS, the method for selecting metrics, and the related calculation method for application layer DDoS attack and defense utility are proposed, and the application layer DDoS attack and defense function and attack and defense utility are obtained. Finally, the feasibility and accuracy of the method of the present invention are verified by simulation experiments.

(一)攻防效用相关定义(1) Definition of Offensive and Defensive Utility

本发明从社会学角度和工程学角度,对网络攻防效用进行分析定义:从社会学角度分析了行为的定义,从工程学角度分析了效用的定义。具体如下:本发明根据传统的社会学对行为的定义,对网络中攻防行为做出如下定义:从网络的对象及其之间的互相联系来说,攻击行为或者防御行为指的是攻击手段或者防御手段在网络中引发的一系列状态变换,由攻击过程的发生导致的网络状态的变化可以描述为攻击行为;由防御手段引起的攻击效果削弱从而导致网络状态的变化可以定义为防御行为。结合工程学理论,对于网络中攻防行为的作用,本发明做出如下定义:攻防行为作用指的是攻击和防御行为在网络系统内部通过一系列动作使网络系统内部发生变化的原因,通过行为作用使网络状态发生了改变。对于攻防效用,本发明做如下定义:效用是一个表征系统或方案性能的基本度量指标,指一种行为作用到某一空间中,在一定范围内,行为作用到客体上的作用累积量。The present invention analyzes and defines network attack and defense utility from sociological and engineering perspectives: analyzes the definition of behavior from the perspective of sociology, and analyzes the definition of utility from the perspective of engineering. The specifics are as follows: the present invention makes the following definition of offensive and defensive behavior in the network according to the traditional sociological definition of behavior: from the perspective of network objects and their interconnections, offensive behavior or defensive behavior refers to attack means or A series of state transitions caused by defense means in the network, the change of network state caused by the occurrence of the attack process can be described as attack behavior; the weakening of the attack effect caused by defense means and the change of network state can be defined as defense behavior. Combined with engineering theory, the present invention defines the role of offensive and defensive behaviors in the network as follows: the role of offensive and defensive behaviors refers to the reasons why the attack and defense behaviors change the network system through a series of actions within the network system, and the behavioral role The network status has changed. The present invention defines offensive and defensive utility as follows: Utility is a basic metric that characterizes the performance of a system or scheme, and refers to the cumulative amount of action that a behavior acts on an object in a certain space and within a certain range.

(二)网络逻辑拓扑与n维仿射空间的映射关系证明(2) Proof of the mapping relationship between network logic topology and n-dimensional affine space

计算机网络的拓扑结构指网络中计算机设备与传输介质形成的节点与线的物理结构。其中节点主要分为转换节点和访问节点,传输介质即通信链路;每一种网络结构都由各节点及其通信链路组成。网络拓扑包括物理拓扑结构和逻辑拓扑结构,常见的网络逻辑拓扑结构有:星型结构、总线型结构、环形结构、树形结构、网状型结构等。The topology of a computer network refers to the physical structure of nodes and lines formed by computer equipment and transmission media in the network. The nodes are mainly divided into conversion nodes and access nodes, and the transmission medium is the communication link; each network structure is composed of each node and its communication link. Network topology includes physical topology and logical topology. Common network logical topologies include: star structure, bus structure, ring structure, tree structure, mesh structure, etc.

网络逻辑拓扑结构可以映射到仿射空间:The network logical topology can be mapped into an affine space:

根据对象集合A(网络系统中各设备节点的集合)的元素之间的链路关系,可以将集合A中的元素映射至向量空间V中。According to the link relationship between the elements of the object set A (the set of each device node in the network system), the elements in the set A can be mapped into the vector space V.

该映射把A中任意一对有序点p、q映射为V中一个向量

Figure GDA0002673603260000061
并满足如下条件:The mapping maps any pair of ordered points p, q in A to a vector in V
Figure GDA0002673603260000061
and meet the following conditions:

(1)

Figure GDA0002673603260000062
(1)
Figure GDA0002673603260000062

(2)

Figure GDA0002673603260000063
存在唯一的点q∈A,使得
Figure GDA0002673603260000064
(2)
Figure GDA0002673603260000063
There exists a unique point q∈A such that
Figure GDA0002673603260000064

(3)

Figure GDA0002673603260000065
(3)
Figure GDA0002673603260000065

因此,集合A,即网络系统中的节点的集合就可以映射为一个仿射空间。Therefore, the set A, that is, the set of nodes in the network system, can be mapped into an affine space.

根据(一)中本发明对攻防行为、作用及功效的定义,对网络系统中的攻防行为过程进行分析可以知道,在一个网络逻辑拓扑结构中,各个节点设备均可以看作网络空间中的独立子空间,根据节点设备正常运行状态以及攻击行为发生之后的各个指标值的采集,每一个指标均为一个维度,通过指标维度,可以得出各个指标值在子空间中n维坐标系中的方向是互相垂直的,由此可得各个指标值所对应的向量在仿射空间中是线性无关。因此可以推论出基于网络逻辑拓扑结构所建立的网络场景,可以描述为n维仿射空间,特定网络行为的场景即为一个n维仿射空间的子空间。由于仿射空间是欧氏空间的仿射特性的推广,因此,网络中各节点可看成是一个n维欧氏空间。According to the definition of offensive and defensive behaviors, functions and effects of the present invention in (1), it can be known from the analysis of the process of offensive and defensive behaviors in the network system that in a network logical topology structure, each node device can be regarded as an independent network space. In the subspace, according to the normal operation status of the node device and the collection of each indicator value after the attack occurs, each indicator is a dimension. Through the indicator dimension, the direction of each indicator value in the n-dimensional coordinate system in the subspace can be obtained. are perpendicular to each other, so the vector corresponding to each index value is linearly independent in the affine space. Therefore, it can be deduced that the network scene established based on the network logic topology can be described as an n-dimensional affine space, and the scene of a specific network behavior is a subspace of an n-dimensional affine space. Since the affine space is a generalization of the affine characteristics of the Euclidean space, each node in the network can be regarded as an n-dimensional Euclidean space.

(三)证明n维超平行体与网络状态之间的映射关系(3) Prove the mapping relationship between n-dimensional hyperparallel and network state

一个网络拓扑结构中的某个节点在攻击/防御行为发生的过程中,该节点的各个指标项会发生变化,而指标维度对应着仿射空间的维度,即设备的一个指标项对应着n维欧氏空间中的一条向量,n个指标可刻画为欧氏空间中n个线性无关的向量。根据n维超平行体定义的描述,可以证明这些指标向量集合就是由这些指标向量张成的一个n维超平行体,也就是网络空间中的节点在欧氏空间中的几何形态,从而得出该几何体可以用于描述网络节点状态。从网络拓扑结构的物理意义来看,在一个网络中攻防行为的发生必然导致网络节点的各个指标项发生变化,而一个网络节点在攻防行为发生的过程中,由于该节点各个指标项之间不会产生依赖关系,其变化均由攻防作用决定,因此各个指标项之间可以看作是相互独立的,且映射至n维空间中其指标向量变化方向不一致,所以将网络节点中指标变化映射至节点对应的n维欧氏空间中可得出各个指标是欧氏空间中的n个线性无关的向量,由此可证明网络场景可以映射为n维超平行体。During the attack/defense behavior of a node in a network topology, each index item of the node will change, and the index dimension corresponds to the dimension of the affine space, that is, an index item of a device corresponds to the n dimension. A vector in Euclidean space, and n indicators can be described as n linearly independent vectors in Euclidean space. According to the description of the definition of n-dimensional hyperparallel body, it can be proved that these index vector sets are an n-dimensional hyperparallel body stretched by these index vectors, that is, the geometric shape of nodes in the network space in Euclidean space. This geometry can be used to describe network node states. From the physical meaning of the network topology, the occurrence of offensive and defensive behaviors in a network will inevitably lead to changes in each index item of the network node, and in the process of the occurrence of offensive and defensive behaviors of a network node, due to the inconsistency between the various index items of the node There will be a dependency relationship, and its changes are determined by the role of attack and defense, so each index item can be regarded as independent of each other, and the change direction of the index vector in the n-dimensional space is inconsistent, so the index change in the network node is mapped to In the n-dimensional Euclidean space corresponding to the node, it can be concluded that each index is n linearly independent vectors in the Euclidean space, which proves that the network scene can be mapped to an n-dimensional hyperparallel.

(四)度量指标选取方法(4) Method of selecting metrics

由于应用层DDoS攻击通常通过大量占用Web服务器的请求队列来阻碍其对合法用户提供正常的Web服务,因此,可以通过计算服务器在攻击防御发生前后的状态变化,来衡量应用层DDoS的攻防效用。由此,在指标的选取上,本发明充分考虑了应用、物理和网络三个层面来反映服务器受攻击的影响,选取网络流量相关指标,如网络每秒吞吐量大小、TCP段个数、IP数据报个数等;硬件性能指标,如CPU占用率、内存使用率等;应用层指标,如平均响应时间、访问失败率等。本发明不限于上述指标,只要能充分体现服务器的安全状态、使用性能等即可。本实施例中,优选如下六个指标进行度量:网络每秒吞吐量大小、TCP段个数、IP数据报个数、访问失败率、平均响应时间、CPU占用率。以上六个指标项,可以综合全面地描述应用层DDoS攻击,并考虑了网络层面以及硬件层面的影响,能够更为完善地用于分析DDoS攻击影响值,且后续计算量小。Because application-layer DDoS attacks usually use a large number of request queues of the web server to prevent it from providing normal web services to legitimate users, the attack and defense effectiveness of application-layer DDoS can be measured by calculating the state changes of the server before and after the attack defense occurs. Therefore, in the selection of indicators, the present invention fully considers the application, physical and network levels to reflect the impact of the attack on the server, and selects network traffic related indicators, such as network throughput per second, number of TCP segments, IP The number of datagrams, etc.; hardware performance indicators, such as CPU usage, memory usage, etc.; application layer indicators, such as average response time, access failure rate, etc. The present invention is not limited to the above-mentioned indicators, as long as it can fully reflect the security status, use performance, and the like of the server. In this embodiment, the following six indicators are preferably measured: network throughput per second, the number of TCP segments, the number of IP datagrams, the access failure rate, the average response time, and the CPU occupancy rate. The above six index items can comprehensively describe the DDoS attack at the application layer, and consider the impact of the network layer and hardware layer, which can be used to analyze the impact value of DDoS attack more completely, and the subsequent calculation amount is small.

(五)应用层DDoS攻防效用相关计算方法与数学建模(5) Calculation methods and mathematical modeling related to DDoS attack and defense utility at the application layer

(1)网络状态值计算方法与数学建模(1) Calculation method and mathematical modeling of network state value

网络状态值计算方法思路如图1所示。The idea of network state value calculation method is shown in Figure 1.

本发明将网络中的各设备节点看作是网络空间中的各独立子空间,将设备指标作为子空间的维度,映射至n维空间中,各个指标均对应空间中的向量,节点指标的数值变化也就意味着对应向量的长度会发生变化。由前文可知,网络节点指标向量可以映射为n维欧氏空间中的n维超平行体,通过这个几何模型(n维超平行体)可以描述网络节点的状态,利用n维超平行体体积可以直观地描述网络节点的当前状态值。The invention regards each device node in the network as each independent subspace in the network space, and takes the device index as the dimension of the subspace and maps it to the n-dimensional space, each index corresponds to a vector in the space, and the value of the node index The change also means that the length of the corresponding vector will change. As can be seen from the foregoing, the network node index vector can be mapped to an n-dimensional hyperparallel in an n-dimensional Euclidean space. Through this geometric model (n-dimensional hyperparallel), the state of the network node can be described, and the n-dimensional hyperparallel volume can be used to describe the state of the network node. Visually describe the current state values of network nodes.

网络状态值的具体计算步骤如下:The specific calculation steps of the network state value are as follows:

第一步,构建n维矩阵。根据指标的选取,假设选取了n个指标,这n个指标分别为m1、m2、m3、……、mn。根据前文的论证,网络节点中每一个指标均为n维欧氏空间V中的线性无关的向量。因此,n个指标可以映射至n维空间中的向量维度,以本实施例优选的6个指标为例,该6个指标可映射至六维空间中的向量维度,其向量分别表示为:The first step is to construct an n-dimensional matrix. According to the selection of indicators, it is assumed that n indicators are selected, and the n indicators are respectively m 1 , m 2 , m 3 , ..., m n . According to the previous argument, each index in the network node is a linearly independent vector in the n-dimensional Euclidean space V. Therefore, n indicators can be mapped to the vector dimension in the n-dimensional space. Taking the preferred 6 indicators in this embodiment as an example, the 6 indicators can be mapped to the vector dimension in the six-dimensional space, and the vectors are respectively expressed as:

Figure GDA0002673603260000081
Figure GDA0002673603260000081

因此,这6条向量组成的6维矩阵可以表示为一个对角矩阵,即:Therefore, the 6-dimensional matrix composed of these 6 vectors can be represented as a diagonal matrix, namely:

Figure GDA0002673603260000091
Figure GDA0002673603260000091

第二步,计算6维欧氏空间中超平行体体积大小。由以上6条向量在6维欧氏空间中所构成的超平行体的体积V(m1,m2,…,m6)为:The second step is to calculate the volume size of the hyperparallel in the 6-dimensional Euclidean space. The volume V(m 1 ,m 2 ,...,m 6 ) of the hyperparallel body formed by the above 6 vectors in 6-dimensional Euclidean space is:

V(m1,m2,…m6)=V(m1,m2,…m5)·h6 (3)V(m 1 , m 2 ,...m 6 )=V(m 1 ,m 2 ,... m 5 )·h 6 (3)

其中h6是m6关于向量m1,m2,…m5所生成的子空间的正交分量的长,且V1(α)=|α|,α=m1,m2,…m6。经证明可知:

Figure GDA0002673603260000092
其中G(m1,m2,…m6)为格拉姆行列式,D是(m1,m2,…m6)在V的某一组标准正交基下坐标的行列式。where h 6 is the length of the orthogonal components of the subspace generated by m 6 with respect to the vectors m 1 , m 2 , . . . m 5 , and V 1 (α)=|α|, α=m 1 , m 2 , . . . m 6 . It has been proven that:
Figure GDA0002673603260000092
where G(m 1 , m 2 ,...m 6 ) is the Gram determinant, and D is the determinant of the coordinates of (m 1 , m 2 ,... m 6 ) in a set of standard orthonormal bases of V.

由此可得,在某一时刻t下的网络状态值即为第一步中所得对角矩阵M的行列式。设网络状态值为St,其具体计算方法为:Thus, the network state value at a certain time t is the determinant of the diagonal matrix M obtained in the first step. Suppose the network state value is S t , and its specific calculation method is:

St=|M| (4)S t = |M| (4)

第三步,计算攻击发生过程中网络状态的算术平均值。为避免可能某一状态的偶然性,取一段时间的节点状态的算术平均值表示网络节点在这段时间的安全状态。网络节点在攻防作用共同作用持续时间ti,i=(1,2,…,m)内,每一时刻下的网络状态值分别为

Figure GDA0002673603260000093
因此网络状态的算术平均值为:The third step is to calculate the arithmetic mean of the network state during the attack. In order to avoid the chance of a certain state, the arithmetic mean of the node state for a period of time is taken to represent the security state of the network node in this period of time. During the duration t i , i=(1,2,...,m) of the joint action of attack and defense, the network state values at each moment are respectively
Figure GDA0002673603260000093
So the arithmetic mean of the network state is:

Figure GDA0002673603260000094
Figure GDA0002673603260000094

例1.设在无攻击状态下所采集网络节点的6项指标网络吞吐量速率、TCP数据段传输速率、IP数据报传输速率、平均流量到达时间、CPU占用率、事务失败率大小分别为1个/秒、2个/秒、3个/秒、1秒、1%、1%,其中平均流量到达时间以及事务失败率为平均值。计算网络节点在当前时刻的状态值S。Example 1. Set the 6 indicators of network nodes collected in the state of no attack: network throughput rate, TCP data segment transmission rate, IP datagram transmission rate, average traffic arrival time, CPU occupancy rate, and transaction failure rate are 1 respectively. pcs/sec, 2pcs/sec, 3pcs/sec, 1sec, 1%, 1%, where the average traffic arrival time and transaction failure rate are average. Calculate the state value S of the network node at the current moment.

由式(1)、式(2)得,当前指标可构成对角矩阵M如下:From formula (1) and formula (2), the current index can form a diagonal matrix M as follows:

Figure GDA0002673603260000095
Figure GDA0002673603260000095

由式(3)、式(4)得,当前网络逻辑拓扑所映射的6维超平行体体积大小,也就是网络节点的状态值S=|M|=6。From equations (3) and (4), the volume size of the 6-dimensional hyperparallel body mapped by the current network logic topology, that is, the state value of the network node S=|M|=6.

(2)攻防作用计算方法与数学建模(2) Calculation method and mathematical modeling of offensive and defensive effects

测量攻击作用大小的方法如图2所示。The method of measuring the size of the attack effect is shown in Figure 2.

基于网络节点受到的攻击行为以及所采用的防御行为都会使得网络节点的状态值发生变化,则可以利用网络节点状态值的变化量,描述网络节点的攻防作用及效用。将网络节点受到的攻击强度预设为1、防御基础预设为0,通过计算攻击作用造成网络节点状态值的变化率来得出当前攻击方法以及攻击强度下的攻击作用。在设定网络节点初始值为0的情况下,即在没有添加任何防御措施的情况下,攻击作用=网络节点状态值,利用此思想可以推论出防御措施作用的大小计算方法。基于攻防行为的可变性这一特征,为保证攻防作用计算结果的普适性,应通过判断对每一时刻攻击作用大小分析出攻击强度发生变化之后,选取攻击强度一定的时间段来得出平均攻击作用,以此来消除攻击作用的峰值以及最低值,达到可以全面描述攻击作用的目的。Based on the attack behavior of the network node and the adopted defense behavior, the state value of the network node will change, and the change of the state value of the network node can be used to describe the attack and defense function and utility of the network node. The attack intensity of the network node is preset to 1, and the defense basis is preset to 0, and the current attack method and the attack effect under the attack intensity are obtained by calculating the change rate of the state value of the network node caused by the attack effect. In the case of setting the initial value of the network node to 0, that is, without adding any defense measures, the attack effect = the state value of the network node. Using this idea, the calculation method of the size of the defense measures can be deduced. Based on the variability of offensive and defensive behaviors, in order to ensure the universality of the calculation results of offensive and defensive effects, we should analyze the change of the attack intensity by judging the size of the attack effect at each moment, and select a certain time period of the attack intensity to obtain the average attack. In order to eliminate the peak value and the lowest value of the attack effect, the purpose of fully describing the attack effect can be achieved.

在时间跨度不变的前提下,攻击作用与防御作用的计算大致路线如表1所示。表1中列出了攻击作用在时间跨度一定的情况下,攻击强度的变化带来的攻击作用的变化值,以及防御作用由防御措施的累加所引起的变化量。为了更方便且明确地说明攻击防御作用随着攻击强度以及防御强度的累加的变化量,表中数据均为抽象值,不代表具体攻击强度与防御强度。Under the premise that the time span remains unchanged, the approximate calculation route of the attack effect and the defense effect is shown in Table 1. Table 1 lists the change value of the attack effect caused by the change of the attack intensity when the attack effect has a certain time span, and the change amount of the defense effect caused by the accumulation of the defense measures. In order to more conveniently and clearly illustrate the variation of attack and defense effects with the accumulation of attack strength and defense strength, the data in the table are abstract values and do not represent specific attack strength and defense strength.

表1攻防作用大小模拟计算表Table 1. Simulation calculation table of attack and defense effect size

Figure GDA0002673603260000101
Figure GDA0002673603260000101

Figure GDA0002673603260000111
Figure GDA0002673603260000111

根据状态值计算模型建立,采用通过对服务器性能数据记录、网络分析、应用程序服务等相关指标分析,选取其中数据波动最为平稳且相对符合正常用户合法访问行为轨迹的1-5小时时间内的节点状态值作为阈值的阈值选取方法,选取一段网络正常运行状态并计算得出其状态值S0。当攻击作用发生后,网络状态值发生的变化量大小可用攻击作用描述。也就是网络受到攻击后,网络状态值的变化与阈值比较之后的变化程度。According to the establishment of the state value calculation model, through the analysis of server performance data records, network analysis, application services and other related indicators, select the nodes with the most stable data fluctuation and within 1-5 hours of the normal user's legal access behavior trajectory. The state value is used as the threshold value selection method of the threshold value, and a segment of the network normal operation state is selected and its state value S 0 is calculated. When the attack effect occurs, the magnitude of the change in the network state value can be described by the attack effect. That is, after the network is attacked, the change of the network state value is compared with the threshold value.

1.攻击作用计算模型1. Calculation model of attack effect

设当攻击强度为X时,在时刻t1上,网络状态值为S1。则在每一个时刻的攻击作用

Figure GDA0002673603260000112
计算方法为:Assume that when the attack strength is X, at time t 1 , the network state value is S 1 . then the attack effect at each moment
Figure GDA0002673603260000112
The calculation method is:

Figure GDA0002673603260000113
Figure GDA0002673603260000113

平均攻击作用力的计算方法为:The calculation method of the average attack force is:

Figure GDA0002673603260000114
Figure GDA0002673603260000114

例2.设在正常运行状态下所采集网络节点的6项指标网络吞吐量速率、TCP数据段传输速率、IP数据报传输速率、平均流量到达时间、CPU占用率、事务失败率大小分别为1个/秒、2个/秒、3个/秒、1秒、1%、1%,以上均为平均值。攻击发生时,各项指标值在攻击过程中平均大小分别为10个/秒、20个/秒、30个/秒、10秒、10%、10%,计算此次平均攻击作用大小。Example 2. Set the 6 indicators of network nodes collected under normal operation status: network throughput rate, TCP data segment transmission rate, IP datagram transmission rate, average traffic arrival time, CPU occupancy rate, and transaction failure rate are 1 respectively. Pieces/second, 2 pieces/second, 3 pieces/second, 1 second, 1%, 1%, all the above are average values. When the attack occurs, the average size of each indicator value during the attack is 10/second, 20/second, 30/second, 10 seconds, 10%, and 10%, respectively, and the average attack effect is calculated.

例中所给出均为平均值,因此可直接计算平均网络状态值。由公式1、公式2、公式5得,在正常运行状态下平均网络状态值SNThe examples given are average values, so the average network state value can be calculated directly. From formula 1, formula 2, and formula 5, the average network state value S N in normal operation state is

Figure GDA0002673603260000115
Figure GDA0002673603260000115

在攻击发生过程中平均网络状态值SADuring the attack, the average network state value S A is

Figure GDA0002673603260000121
Figure GDA0002673603260000121

根据公式7可得,在此次攻击发生过程中,平均攻击作用大小

Figure GDA00026736032600001210
的值为According to formula 7, in the process of this attack, the average attack effect size
Figure GDA00026736032600001210
value of

Figure GDA0002673603260000122
Figure GDA0002673603260000122

2.防御作用计算模型2. Calculation model of defensive effect

设在攻击强度为X时,系统内不添加任何防御措施的状态下,网络状态值为s1,则在t1时刻攻击作用可根据公式6设为

Figure GDA0002673603260000123
若在此时向系统内添加了防御措施D之后,网络状态值为S1′,攻击作用变化为
Figure GDA0002673603260000124
攻击作用变化量记为
Figure GDA0002673603260000125
根据公式6推论,则在t1时刻防御作用的计算方法为:Assuming that when the attack strength is X, and no defense measures are added in the system, the network state value is s 1 , then the attack effect at time t1 can be set according to formula 6 as:
Figure GDA0002673603260000123
If the defense measure D is added to the system at this time, the network state value is S 1 ′, and the attack effect changes to
Figure GDA0002673603260000124
The change in attack effect is recorded as
Figure GDA0002673603260000125
According to formula 6, the calculation method of defense effect at time t1 is:

Figure GDA0002673603260000126
Figure GDA0002673603260000126

其中平均防御作用力的计算方法为:The calculation method of the average defensive force is:

Figure GDA0002673603260000127
Figure GDA0002673603260000127

例3.在上述例2中数据基础之上,针对目标网络节点配置某种防御技术之后各项指标值在攻击过程中平均大小分别为5个/秒、10个/秒、15个/秒、5秒、5%、5%。计算此防御作用大小(结果精确至小数点后两位)。Example 3. On the basis of the data in Example 2 above, after configuring a certain defense technology for the target network node, the average size of each indicator value during the attack process is 5/sec, 10/sec, 15/sec, 5 seconds, 5%, 5%. Calculate the size of this defensive effect (results are accurate to two decimal places).

由公式1、公式2、公式5得,在配置防御之后平均网络状态值SDFrom formula 1, formula 2, and formula 5, the average network state value S D after configuring defense is

Figure GDA0002673603260000128
Figure GDA0002673603260000128

由公式8及例2中计算结果得,此攻防对抗过程中平均防御作用大小

Figure GDA00026736032600001211
为According to the calculation results in formula 8 and example 2, the average defense effect in the process of attack and defense confrontation
Figure GDA00026736032600001211
for

Figure GDA0002673603260000129
Figure GDA0002673603260000129

(3)攻防效用计算方法及数学建模(3) Calculation method and mathematical modeling of attack and defense utility

作用效用值可以说明在攻击持续时间内,攻击作用对网络节点攻击的总量以及防御作用在攻防对抗时间内起到的总防御能力。在一次应用层DDoS攻击中,攻击方的攻击流量在正常情况下不会是恒定不变的,网络中流量的影响受到各种因素的制约。因此攻击作用的表示可以得出在某一时间点上的攻击大小,但是并不能反映整个攻击过程中攻击所造成的影响。在阈值的研究基础上,攻击发生之后可以得出每一时刻中攻击作用的大小,这时攻击效用则可以说明次攻击类型在整个攻击发生过程中所造成的影响值,也就是说,效用是作用之和,是攻击作用随着时间变化的累积量。设攻击作用大小为F,在阈值设定与选取时,攻击作用为0,则攻击效用也为0。若攻击发生时,设t1时刻攻击作用为F1,t2时刻攻击作用为F2,tn时刻攻击作用为Fn。基于阈值的设定,则攻击效用E的计算方法为The effect utility value can indicate the total amount of attack on the network node by the attack effect and the total defense ability of the defense effect during the attack and defense confrontation time during the attack duration. In an application layer DDoS attack, the attack traffic of the attacker will not be constant under normal circumstances, and the influence of the traffic in the network is restricted by various factors. Therefore, the representation of the attack effect can obtain the size of the attack at a certain point in time, but it cannot reflect the impact of the attack during the entire attack process. On the basis of the study of the threshold value, the magnitude of the attack effect at each moment can be obtained after the attack occurs. At this time, the attack utility can indicate the impact value of the attack type during the entire attack process. That is to say, the utility is The sum of the effects is the cumulative amount of the attack effect over time. Let the attack effect size be F, when the threshold is set and selected, the attack effect is 0, and the attack effect is also 0. If an attack occurs, let the attack action at t1 be F1, the attack action at t2 be F2, and the attack action at tn be Fn. Based on the setting of the threshold, the calculation method of the attack utility E is:

Figure GDA0002673603260000131
Figure GDA0002673603260000131

攻防效用值代表着攻防作用的累积量,因为在攻防过程中,攻击者与防御手段所起的作用在实际操作中是不可能恒定不变的。因此在评估过程中,需要得出两种作用在整个过程中的效用值,即效用值可以说明攻防作用在攻防过程中的总效果量。The utility value of offense and defense represents the cumulative amount of offense and defense, because in the process of offense and defense, the roles played by attackers and defense means cannot be constant in actual operation. Therefore, in the evaluation process, it is necessary to obtain the utility value of the two effects in the whole process, that is, the utility value can indicate the total effect of the offensive and defensive effects in the offensive and defensive process.

根据公式7及公式9所得计算结果,设在攻击持续时间t内,攻击强度为X、防御强度为Y,平均攻击作用力记为

Figure GDA0002673603260000132
平均防御作用力为
Figure GDA0002673603260000133
则攻击效用EA以及防御效用ED的计算方法分别为:According to the calculation results obtained by formula 7 and formula 9, set in the attack duration t, the attack strength is X, the defense strength is Y, and the average attack force is recorded as
Figure GDA0002673603260000132
The average defense force is
Figure GDA0002673603260000133
Then the calculation methods of attack utility EA and defense utility ED are :

Figure GDA0002673603260000134
Figure GDA0002673603260000134

Figure GDA0002673603260000135
Figure GDA0002673603260000135

根据攻防效用值的计算结果可以得出防御措施可以抵御多少当前攻击类型的攻击效果,以此可提出防御效率的概念。根据公式10,在防御为0时,可以得出在一定时间t内,攻击效用值为EA。当前系统设置加入防御措施之后,攻击效用为EA′。则防御效率DE的计算方法为:According to the calculation result of the utility value of offense and defense, we can get how much the attack effect of the current attack type can be resisted by the defense measure, so that the concept of defense efficiency can be put forward. According to formula 10, when the defense is 0, it can be concluded that within a certain time t, the attack utility value is E A . After the current system settings are added to defense measures, the attack utility is E A ′. Then the calculation method of defense efficiency DE is:

Figure GDA0002673603260000141
Figure GDA0002673603260000141

例4.以例3中假设数据为基础,设攻防对抗持续时间为60秒,计算此过程中攻防效用EA与ED各自大小以及防御效率DEExample 4. Based on the hypothetical data in Example 3, set the duration of the offensive and defensive confrontation to be 60 seconds, and calculate the respective sizes of the offensive and defensive utilities EA and ED and the defensive efficiency DE in this process .

根据公式11、12得,在攻防对抗过程中,攻防效用各自的大小分别为:According to formulas 11 and 12, in the process of offense and defense confrontation, the respective sizes of offense and defense utility are:

Figure GDA0002673603260000142
Figure GDA0002673603260000142

Figure GDA0002673603260000143
Figure GDA0002673603260000143

防御效率DE大小为:The size of defensive efficiency D E is:

Figure GDA0002673603260000144
Figure GDA0002673603260000144

综上,本发明通过性能监控、流量统计、数据包的截取等数据采集方法,得到一系列特定指标项之后,用这些指标数据的组合来进行各个网络节点状态的定量描述,从而计算得出各个网络节点在攻击发生时的状态。根据网络节点状态的变化,可以分析计算出当前攻防作用的大小,从而得出攻防效用值,具体流程图如图3所示。To sum up, the present invention obtains a series of specific index items through data collection methods such as performance monitoring, traffic statistics, and data packet interception, and then uses the combination of these index data to quantitatively describe the state of each network node, so as to calculate each The state of the network node at the time of the attack. According to the change of the network node state, the size of the current attack and defense effect can be analyzed and calculated, so as to obtain the attack and defense utility value. The specific flow chart is shown in Figure 3.

综上所述,以上仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。To sum up, the above are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (4)

1. An application layer DDoS attack and defense effectiveness measurement method is characterized by comprising the following steps:
step 1, constructing an index matrix, wherein the index matrix is a diagonal matrix, and items on the diagonal are indexes of a server respectively; the indexes comprise application layer indexes, network flow indexes and hardware performance indexes;
step 2, acquiring index values of the server under different attack and defense effects, and acquiring a state value of the server based on the index matrix constructed in the step 1; the state value of the server is a determinant of the index matrix;
step 3, the change quantity of the state value of the server under the attack action compared with the state value of the server under 0 attack and 0 defense is the attack action value of the server; the accumulation of the attack effect value along the time is the attack effect value of the server; the ratio of the difference of the state values of the server before and after the addition of the defense measures to the state values of the server under 0 attack and 0 defense in the same attack state is the defense effect value of the server; and accumulating the defense effect value along the time, namely the defense effect value of the server.
2. The method for measuring utility of DDoS attack and defense at an application layer according to claim 1, wherein in step 1, the following 6 indexes are selected: network throughput per second size, number of TCP segments, number of IP datagrams, access failure rate, average response time, and CPU occupancy.
3. The application layer DDoS attack and defense utility measurement method according to claim 1, wherein in step 3, the attack effect value of the server is selected as an average value of the attack effect values of the server within an attack effect time period; and selecting the average value of the defense values of the servers in the defense time period according to the defense values of the servers.
4. The utility measurement method of DDoS attack and defense in application layer according to claim 1, wherein the attack effect value of DDoS in application layer is a ratio of a state value of the server under attack to a state value under normal operation; the defense function value of the server to the application layer DDoS is the ratio of the difference of the state values of the server before and after adding the defense measure under the same attack state to the state value of the server in normal operation.
CN201910571268.3A 2019-06-28 2019-06-28 A method for measuring the effectiveness of DDoS attack and defense at the application layer Active CN110224876B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910571268.3A CN110224876B (en) 2019-06-28 2019-06-28 A method for measuring the effectiveness of DDoS attack and defense at the application layer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910571268.3A CN110224876B (en) 2019-06-28 2019-06-28 A method for measuring the effectiveness of DDoS attack and defense at the application layer

Publications (2)

Publication Number Publication Date
CN110224876A CN110224876A (en) 2019-09-10
CN110224876B true CN110224876B (en) 2020-11-20

Family

ID=67815272

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910571268.3A Active CN110224876B (en) 2019-06-28 2019-06-28 A method for measuring the effectiveness of DDoS attack and defense at the application layer

Country Status (1)

Country Link
CN (1) CN110224876B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12170688B1 (en) * 2021-09-30 2024-12-17 Amazon Technologies, Inc. Automated attack mitigation
CN114866296B (en) * 2022-04-20 2023-07-21 武汉大学 Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium
CN116132080B (en) * 2022-05-29 2024-07-12 北京理工大学长三角研究院(嘉兴) Alliance chain DDoS defense method based on moving target defense technology
CN117873120B (en) * 2024-03-13 2024-05-28 中国民用航空总局第二研究所 State control method, device, equipment and medium for airport unmanned driving equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282468A (en) * 2018-01-03 2018-07-13 北京交通大学 A kind of application layer ddos attack detection method and device
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN108989090A (en) * 2018-06-22 2018-12-11 北京理工大学 Network state model building method and state evaluating method based on Differential Manifold
EP3427437A1 (en) * 2016-03-10 2019-01-16 Telefonaktiebolaget LM Ericsson (PUBL) Ddos defence in a packet-switched network
CN109768989A (en) * 2019-02-27 2019-05-17 重庆邮电大学 Network security situation assessment model based on LAHP-IGFNN
CN109918914A (en) * 2019-03-14 2019-06-21 北京计算机技术及应用研究所 The information system attack defending ability integration assessment system and method for stratification

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107454108B (en) * 2017-09-18 2019-07-16 北京理工大学 A network security assessment method based on attack-defense confrontation utility
CN108769042B (en) * 2018-06-06 2020-07-10 北京理工大学 Network security risk assessment method based on differential manifold

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3427437A1 (en) * 2016-03-10 2019-01-16 Telefonaktiebolaget LM Ericsson (PUBL) Ddos defence in a packet-switched network
CN108282468A (en) * 2018-01-03 2018-07-13 北京交通大学 A kind of application layer ddos attack detection method and device
CN108989090A (en) * 2018-06-22 2018-12-11 北京理工大学 Network state model building method and state evaluating method based on Differential Manifold
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN109768989A (en) * 2019-02-27 2019-05-17 重庆邮电大学 Network security situation assessment model based on LAHP-IGFNN
CN109918914A (en) * 2019-03-14 2019-06-21 北京计算机技术及应用研究所 The information system attack defending ability integration assessment system and method for stratification

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
A Method for Calculating Network System Security Risk Based on a Lie Group;xiaolin zhao;《ieee》;20190611;第7卷;全文 *

Also Published As

Publication number Publication date
CN110224876A (en) 2019-09-10

Similar Documents

Publication Publication Date Title
CN110224876B (en) A method for measuring the effectiveness of DDoS attack and defense at the application layer
CN105553998B (en) A kind of network attack method for detecting abnormality
CN103581186B (en) A kind of network security situational awareness method and system
CN107623697B (en) A network security situation assessment method based on attack and defense random game model
Abraham et al. A predictive framework for cyber security analytics using attack graphs
CN108494810A (en) Network security situation prediction method, apparatus and system towards attack
CN109302408A (en) A network security situation assessment method
Liu et al. Network security risk assessment method based on HMM and attack graph model
CN108040062B (en) Network security situation assessment method based on evidence reasoning rule
JP2015514356A (en) Use of DNS requests and host agents for path exploration and anomaly / change detection and network status recognition for anomaly subgraph detection
CN106713233B (en) A method for judging and protecting network security status
CN109040027A (en) The active predicting method of network vulnerability node based on gray model
He et al. Large-scale IP network behavior anomaly detection and identification using substructure-based approach and multivariate time series mining
CN114629674A (en) Attention mechanism-based industrial control network security risk assessment method
CN105245362A (en) A method for collecting important node information in SDN environment
CN109150920A (en) A kind of attack detecting source tracing method based on software defined network
CN108769042B (en) Network security risk assessment method based on differential manifold
CN103501302A (en) Method and system for automatically extracting worm features
Hanbanchong et al. SARIMA based network bandwidth anomaly detection
Wang et al. HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle
Zhao et al. A method for calculating network system security risk based on a lie group
Xu et al. A novel trust model based on probability and statistics for peer to peer networks
Chen et al. Evaluation of community vulnerability based on communicability and structural dissimilarity
CN102238047B (en) Denial-of-service attack detection method based on external connection behaviors of Web communication group
CN101882997A (en) Network safety evaluation method based on NBA

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant